WebView error on Android 6 (API 23) and lower on debug and release build types

Question

WebView error on Android 6 (API 23) and lower on debug and release build types

Closed this issue 2 months ago · 6 comments

On all Android 6 devices and lower I'm getting this error:

X509Util: Error creating trust manager (com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager): java.lang.IllegalArgumentException: tm is an instance of com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager which is not a supported type of X509TrustManager

This results in "Webpage not available (net:ERR_FAILED)" error and you can only catch this error in the onReceivedError function inside of the WebViewClient class.

I'm using installCertificateTransparencyProvider method for setting up the library.

More info:

lib version v1.1.1 (latest)
minifyEnabled false
minSdkVersion 21
targetSdkVersion 32
compileSdkVersion 32

Answer 1 · 2022-11-02T16:35:26.000Z

As I understand there is a good explanation here why this is happening. I would be grateful if @mattmook you can look at this because we are using your lib in production and except for this it is really great and easy to use. You did a really good job.

Answer 2 · 2022-11-02T17:26:28.000Z

If anybody is wondering I fixed this issue by implementing a custom WebViewClient and overriding shouldInterceptRequest with OkHttp library that isn't affected with this issue.

override fun shouldInterceptRequest(view: WebView, request: WebResourceRequest): WebResourceResponse? {
            val okHttpRequest: Request = Request.Builder().url(request.url.toString()).build()
            return try {
                val response: Response = okHttp.newCall(okHttpRequest).execute()
                WebResourceResponse("", "", response.body?.byteStream())
            } catch (e: IOException) {
                Timber.e(e)
                null
            }
        }

Answer 3 · 2023-03-14T10:25:52.000Z

I'm not sure how feasible it will be to fix this given the explanation linked.

You have to be careful with the above "fix" as it will only apply to GET requests so if your WebView uses POST requests then these will no doubt either not apply CT checks or fail with the same original exception.

Answer 4 · 2023-04-24T15:24:19.000Z

@kancic I'm now using the latest version of CT 2.2.1, kotlin 1.8.20, AGP 7.4 and I cannot reproduce it anymore

Answer 5 · 2023-06-06T14:27:39.000Z

@kancic I'm now using the latest version of CT 2.2.1, kotlin 1.8.20, AGP 7.4 and I cannot reproduce it anymore

I still see the issue with CT 2.4.6, Kotlin 1.8.20 and AGP 8

Answer 6 · 2024-05-20T07:53:10.000Z

Closing this issue as won't fix as there is no way around it. The best I can do is offer a note in the readme to warn that the Java Security Provider will cause issues on API 23 and lower.